Bruce Schneier Has An Open Wi-Fi Network

from the share-and-share-alike dept

Bruce Schneier, one of the sharpest people in the computer security world, has a great piece about why he leaves his home wireless network open for anyone to use. When I wrote something similar a couple of years ago, I caught a lot of flack from people who said that I was opening myself up to security risks, either from people downloading child pornography with my connection or from people hacking into my home computers and stealing my data. But as Schneier points out, neither of these risks is unique to your home wireless network. Like Schneier, I've got several restaurants and coffee shops within walking distance of my apartment that offer free wi-fi access. While it's not impossible that somebody would park their car out in front of my street and use my Internet connection to do something illegal, it seems more likely that they'd do so over a cup of coffee in one of the nearby coffee shops, where they wouldn't evoke suspicion. Moreover, I have a laptop and I visit coffee shops and other locations with open wi-fi connections all the time. If my laptop has security vulnerabilities, I should be a lot more worried about getting cracked on those networks (which make it easy to target a bunch of people at once) than that I'll have the bad luck of living next to a cracker. I need to keep my laptop properly locked down in any event. Once I've done that, an open wi-fi network is a fairly minor risk. Finally, Schneier closes by pointing out that security is a trade-off. If perfect security is your standard, you shouldn't connect to the Internet at all, because there's always a risk of a security breach. Given that we're willing to accept some level of risk if we have a good reason, the question we should be asking is about the relative risks of different activities. The risk of leaving your wireless network open isn't zero, but it's probably small.

Now, I should point out that all of this assumes that you're a reasonably technically savvy individual with an understanding of basic security concepts: that you know how to update your operating system on a regular basis and that you've set the administrative password on your access point to a non-default value. If you're a complete networking neophyte (not that many of those probably read Techdirt), you should probably get some advice from someone more technically savvy about good Internet security practices. Actually, you should do that whether or not you choose to open your wireless network. But on the list of potential network security threats, an open wi-fi network is probably pretty low on the list.

What about neighbors?

Many people live in apartment blocks or dense developments. I am not worried about the stranger in a car pulling up in front, I am worried about Bill Know it all down the hall, who hacks me or uses my system to hid his identity for things like file sharing to Warez etc.

Re: What about neighbors?

Schneier's point is that if someone does use your access point to "do evil" you will be less open to prosecution if you prove your access is open to everyone. Just because you could have done "the evil" doesn't mean you did...

Who cares about security...

I sure dont, the only reason I set up a password on my access point is cause I'm bandwidth greedy. If i can shave off 50ms off my ping in COD4 by stopping my neighbor from running his BitTorrent client through my connection, then security is a very good idea. In fact I secretly go around my house and connect everyone else's computers to other (open) networks instead of mine. Evil? Maybe. Do I care? Nope.

Get your packets here.

Everyone should have an open access point.
Its just good moral behavior to share.
I leave any wap open that I can get my hands on.
I've even installed open waps without anyone knowing that this was done.
Information should be free!
Lets not place a speed limit on our highways.

Re: Who cares about security...

Yeah, my thing is that I want the bandwidth. If there was some easy way to flip it to open while I wasnt using it, I'd sign up for that. But until we get better speeds in the US for our home connections, its really simple: I need it all, I pay for it all, I get it all.

Re: Get your packets here.

Everyone should have an open access point.

What, are you nuts? People have to be controlled! And to do that their thoughts must be controlled which means controlling their communications. Otherwise there is just no telling what kind of dangerous, destabilizing ideas might get started.

Its just good moral behavior to share.

Open-wifi is a danger to an orderly society!

I leave any wap open that I can get my hands on.
I've even installed open waps without anyone knowing that this was done.

The government should start patrolling for open-wifi, arresting the owners and putting them in prison where they belong! Same thing for anyone caught using one!

Information should be free!

Information should never be free. Freedom is bad for an orderly society!

The only reason I locked down my access point was because someone using it would knock both of my computers off and crash the router, requiring a hard reboot. When I get my new router, it will be open once more.

Missed the point

I think some of the commenters missed the point - It's not that data, or access, should be "free" or that the writer doesn't value his data or want to keep it secret. The point is that if the WEP key is the only thing between a hacker and your data, you've got bigger problems than an open wireless network.

My feeling is that he largely did this as a "publicity stunt" and to start the conversation that we're having, which is good.

I'd only say that for most people, WEP or other wireless security is an easy thing to enable to make the casual bandwidth hog continue down the road to the coffee shop rather than to use your WAP.

I'd agree that you need more security internally regardless of your wireless security, and that wireless security is not the whole answer, but if it is enough to make someone who isn't looking for YOUR data to go find an easier network to connect to then it's worth having.

Well that's a dumb logic... wow. Potentially allow others to do harm, then defend yourself? You could be charged just for "encouraging" others to do harm by willingly leaving your wireless connection open to those who seek exactly that. At least use a lame 64bit WEP key that any kiddie can crack, that way you're at least a little safer from prosecution.

"If perfect security is your standard, you shouldn't connect to the Internet at all, because there's always a risk of a security breach." -- That coming from a so-called security expert? Remind me never to listen to him? heh. He;s like the church isn't he? Saying abstinence is better than a condom? Most ridiculous thing I've read all week.

Re #10 & My Open WAP

Re #10:
He is a security expert. And quite respected by anyone who watches the field or knows a lot about it. He has my respect and I don't even frequent his stuff by any means.

My WAP:
It is open, no encryption at all. But I also live in the woods, and it is also in my basement, which happens to be underground.
I have tested and its signal doesn't go overly far from the house.
Anyone accessing it I could see sitting in my yard or next to my house. =)

Re: Re: What about neighbors?

Then why not install an open (misconfigured) proxy as well? And have a public FTP server? If you want to start talking about liability, there's plenty of ways to claim you were "hacked" and so forth... but you still will have to explain yourselves to authorities and such. So.. like it was said, ask for problems then defend yourself? What a brilliant way of thinking. Let's go shoot a bunch of people and say someone borrowed my gun cause I left it on the table the other day .. *sigh*

Don't Assume That Short Range Is Security

RE #12

I do this as well, sometimes, by turning down, or even disconnecting and antenna or two. But don't kid yourself that this is providing MUCH security (sure, it provides some obscurity).

A determined "visitor" will come with a better client side antenna than anything you're using. For example, I have a Cantenna that gains me about 12dbi. If I aim that at your house, I might be able to get a signal further than your laptop. Someone with a dish could do better. Actually, you probably know exactly what you're doing, but I'm writing this to clarify the point.

Unlikely, for sure, but "security through obscurity" should be taken for what it is.

A slice

I've always thought that routers should have the ability to donate a small (5% perhaps) part of their bandwidth for public consumption. So when my neighbor's network goes down, he could use mine to help debug his problems and vice versa. These local networks should also be in touch with each other - so you could run neighborhood message boards, etc...

Security

Leave your Wireless open and have a spammer drive by and transmit 100k of spam over your internet connect. I'm sure DSL and Cable will understand. When it happens in Tulsa, they shut your connection down, mail you a form to sign that says you are aware of their anti-spam and usage policies, then MAYBE you will be back up in a week. It's happened a few times that I know of.

Cafe's usually don't have this problem because you register with your web browser before any other online activity. It doesn't mean they will verify your identity, but at least they can shut the account down.

Re: A slice

That is not an uncommon set up, although depending on the details it can take some work to set up. My router prioritizes traffic from known MAC addresses before unknown MAC addresses rather than giving only 5%, but it is the same concept.
I don't know of any off the shelf home routers that support that but a DIY Linux (and most likely *BSD, etc.) router can do it if your willing to take the time.

Mine's been open since I installed it...

... for essentially the same reasons. Port 25 is blocked, and wireless is in the DMZ so that nothing on my inside network is accessible except web, ssh, dns, and ipp (so my guests can print, if I tell them the URL of my printer).

open access with less danger

I have installed an open access point but with conditions. I used two routers. The first open and connected to internet access and the second connected to the first which has the network attached to it and the wireless secured. This way the customers can use the open point but the network is as safe as if it was with no open access.

Not sure what the point trying to be made here is... If your router has security, enable it... Saying the risk is minimal is stupid when all you have to do is go into the config and turn it on. Whoever the hell Bruce Schneier is, he doesn't sound like any sort of knowledgable person on this subject. Let alone the fact that he is TELLING you that his access point is wide open, which only adds to the risk.

Conscious decision versus carelessness

As others here have noted, opening up your wi-fi is likely to be fine, provided a few conditions are met:

1. You don't have any download quotas on your Internet connection
2. You either don't play online games or have a router that is smart enough to prioritise your own machines above external connections
3. You have a second firewall between the Wi-fi router and any network accessible internal resources (printers, network drives, media PC)
4. Your wi-fi equipped devices are set up to use a VPN or other mechanism (e.g. SSH tunnels) to get access to the resources on the internal network
5. The network accessible resources themselves are also locked down reasonably well

So, if the rest of the home network is properly secured, then sure, leave the wi fi open because it doesn't matter - you can "pay it forward" as Bruce puts it without any real inconvenience to yourself. On the other hand, if you don't have those extra layers of defence in place, then having WPA (*not* WEP) switched on in your wi-fi and having all incoming connections from the Internet blocked in your router are both *very* good ideas. Sure, neither of those defences is likely to stand up to a concerted attack, but we're talking about a home network here - the idea is to keep out script kiddies, not serious professionals.

Bruce's Warriors

Almost a year ago, Bruce Schneier asked in his blog if we really need a security industry.

“As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?”, Bruce Schneierhttp://www.schneier.com/blog/archives/2007/05/do_we_really_ne.html

I think his opinion about making Wifi open consists with what he wrote. He is pushing people to train the warriors instead of relying on untrained warriors with a lot of shields around their bodies.

But the problem is that I have the feeling that he is somehow confused and cannot tell when the warrior’s body ends and when his shields start.

"You could be charged just for "encouraging" others to do harm by willingly leaving your wireless connection open to those who seek exactly that. At least use a lame 64bit WEP key that any kiddie can crack, that way you're at least a little safer from prosecution."

So now charity is illegal? I don't think that argument would ever fly in a criminal prosecution. Unfortunately the bar for a civil suit is much lower, they might actually convince a jury that "logic" makes sense.

Giving away what's not yours

Talk about false dichotomies...

If a coffee shop makes a business decision that they are more competitive by offering no-charge Internet access, then they create an agreement with their ISP that allows them to do so. The theory is that ey will sell enough $10 cups of coffee to cover the ISP charges. This will proably cost a few hundred dollars a month -- several time the usual cost of a residential ISP connection.

So, if a residential customer decides to give away access via a wireless AP, they are in effect stealing the difference between a residential and a commercial connection fee. That is why your ISP TOS prohibits you from reselling or giving away indescriminate access.

Yes, there is some small risk of liability from illegal activity -- warez, spam, porn, hacking, DDOS -- lots of criminals out there, not so many near my house.

The law has not caught up with technology and never will, and there are a lot of people that don't want to respect the rights of ISP companies. (Yes, they have rights even if they behave unethically in other areas.)

I secure my home network because my ISP agreement obligates me to do so.

PS: There are some signs the all-you-can-surf model may eventually go away, or be a premium level of service. If we go back to the pre-AOL metered model, you unsecured people may find out the cost of wht you thought was free.